rpms/tetex/FC-3 tetex-2.0.2-CVE-2005-3193.patch, 1.2, 1.3 tetex.spec, 1.52, 1.53
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jan 11 15:14:54 UTC 2006
- Previous message (by thread): rpms/tetex/FC-4 tetex-3.0-CVE-2005-3193.patch, 1.2, 1.3 tetex-3.0-texdoc-defaults.patch, 1.1, 1.2 tetex-3.0-texmfcnf.patch, 1.1, 1.2 tetex.spec, 1.69, 1.70
- Next message (by thread): rpms/device-mapper/devel device-mapper-1.02.02-pkg-config.patch, NONE, 1.1 device-mapper-1.02.02-selinux.patch, NONE, 1.1 device-mapper.spec, 1.24, 1.25 device-mapper-selinux.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jnovy
Update of /cvs/dist/rpms/tetex/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv27334
Modified Files:
tetex-2.0.2-CVE-2005-3193.patch tetex.spec
Log Message:
* Wed Jan 11 2006 Jindrich Novy <jnovy at redhat.com> 2.0.2-21.7.FC3
- apply additional patch to fix xpdf flaws from Ludwig Nussel
(CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193) (#177128)
tetex-2.0.2-CVE-2005-3193.patch:
JBIG2Stream.cc | 45 +++++++++++++++++++++++++++++++++++++++++----
Stream.cc | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
Stream.h | 3 +++
3 files changed, 90 insertions(+), 6 deletions(-)
Index: tetex-2.0.2-CVE-2005-3193.patch
===================================================================
RCS file: /cvs/dist/rpms/tetex/FC-3/tetex-2.0.2-CVE-2005-3193.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- tetex-2.0.2-CVE-2005-3193.patch 19 Dec 2005 10:25:22 -0000 1.2
+++ tetex-2.0.2-CVE-2005-3193.patch 11 Jan 2006 15:14:51 -0000 1.3
@@ -1,14 +1,15 @@
--- tetex-src-2.0.2/libs/xpdf/xpdf/Stream.h.CVE-2005-3193 2002-11-03 23:15:37.000000000 +0100
-+++ tetex-src-2.0.2/libs/xpdf/xpdf/Stream.h 2005-12-19 10:38:11.000000000 +0100
-@@ -227,6 +227,7 @@ public:
++++ tetex-src-2.0.2/libs/xpdf/xpdf/Stream.h 2006-01-09 15:31:46.000000000 +0100
+@@ -225,6 +225,8 @@ public:
+ ~StreamPredictor();
+
++ GBool isOk() { return ok; }
++
int lookChar();
int getChar();
-+ GBool isOk() { return ok; }
- private:
-
-@@ -242,6 +243,7 @@ private:
+@@ -242,6 +244,7 @@ private:
int rowBytes; // bytes per line
Guchar *predLine; // line buffer
int predIdx; // current index in predLine
@@ -17,7 +18,7 @@
//------------------------------------------------------------------------
--- tetex-src-2.0.2/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193 2002-12-06 00:44:33.000000000 +0100
-+++ tetex-src-2.0.2/libs/xpdf/xpdf/Stream.cc 2005-12-19 10:38:11.000000000 +0100
++++ tetex-src-2.0.2/libs/xpdf/xpdf/Stream.cc 2006-01-09 15:31:46.000000000 +0100
@@ -15,6 +15,7 @@
#include <stdio.h>
#include <stdlib.h>
@@ -32,21 +33,21 @@
nBits = nBitsA;
+ predLine = NULL;
+ ok = gFalse;
-+
+
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
-+ nComps >= INT_MAX / nBits ||
-+ width >= INT_MAX / nComps / nBits)
++ nComps >= INT_MAX/nBits ||
++ width >= INT_MAX/nComps/nBits) {
+ return;
-
++ }
nVals = width * nComps;
-+ if (nVals + 7 <= 0)
++ if (nVals * nBits + 7 <= 0) {
+ return;
-+
++ }
pixBytes = (nComps * nBits + 7) >> 3;
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
-+ if (rowBytes < 0)
++ if (rowBytes < 0) {
+ return;
-+
++ }
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
predIdx = rowBytes;
@@ -59,62 +60,60 @@
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
-+ if ( !pred->isOk()) {
-+ delete pred;
-+ pred = NULL;
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
+ }
} else {
pred = NULL;
}
-@@ -1226,6 +1246,11 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
+@@ -1226,6 +1246,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
endOfLine = endOfLineA;
byteAlign = byteAlignA;
columns = columnsA;
-+ if (columns < 1 || columns + 2 < 0 || columns + 3 < 0 ||
-+ (columns + 2) >= INT_MAX / sizeof(short) || (columns + 3) >= INT_MAX / sizeof(short)) {
++ if (columns < 1 || columns >= INT_MAX / sizeof(short)) {
+ error(-1, "invalid number of columns");
+ exit(1);
+ }
rows = rowsA;
endOfBlock = endOfBlockA;
black = blackA;
-@@ -2860,6 +2885,11 @@ GBool DCTStream::readBaselineSOF() {
+@@ -2860,6 +2884,11 @@ GBool DCTStream::readBaselineSOF() {
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
-+ numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream");
-+ return gFalse;
++ numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
-@@ -2886,6 +2916,11 @@ GBool DCTStream::readProgressiveSOF() {
+@@ -2886,6 +2915,11 @@ GBool DCTStream::readProgressiveSOF() {
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
-+ numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream");
-+ return gFalse;
++ numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
-@@ -2908,6 +2943,11 @@ GBool DCTStream::readScanInfo() {
+@@ -2908,6 +2942,10 @@ GBool DCTStream::readScanInfo() {
length = read16() - 2;
scanInfo.numComps = str->getChar();
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
-+ scanInfo.numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream");
-+ return gFalse;
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {
error(getPos(), "Bad DCT scan info block");
-@@ -2975,12 +3015,12 @@ GBool DCTStream::readHuffmanTables() {
+@@ -2975,12 +3013,12 @@ GBool DCTStream::readHuffmanTables() {
while (length > 0) {
index = str->getChar();
--length;
@@ -129,7 +128,7 @@
if (index >= numACHuffTables)
numACHuffTables = index+1;
tbl = &acHuffTables[index];
-@@ -3068,9 +3108,11 @@ int DCTStream::readMarker() {
+@@ -3068,9 +3106,11 @@ int DCTStream::readMarker() {
do {
do {
c = str->getChar();
@@ -141,19 +140,19 @@
} while (c == 0xff);
} while (c == 0x00);
return c;
-@@ -3178,6 +3220,10 @@ FlateStream::FlateStream(Stream *strA, i
+@@ -3178,6 +3218,10 @@ FlateStream::FlateStream(Stream *strA, i
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
-+ if ( !pred->isOk()) {
-+ delete pred;
-+ pred = NULL;
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
+ }
} else {
pred = NULL;
}
--- tetex-src-2.0.2/libs/xpdf/xpdf/JBIG2Stream.cc.CVE-2005-3193 2002-11-16 16:02:19.000000000 +0100
-+++ tetex-src-2.0.2/libs/xpdf/xpdf/JBIG2Stream.cc 2005-12-19 10:38:11.000000000 +0100
++++ tetex-src-2.0.2/libs/xpdf/xpdf/JBIG2Stream.cc 2006-01-09 15:31:46.000000000 +0100
@@ -7,6 +7,7 @@
//========================================================================
@@ -162,47 +161,61 @@
#ifdef USE_GCC_PRAGMAS
#pragma implementation
-@@ -977,6 +978,13 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+@@ -977,7 +978,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = wA;
h = hA;
line = (wA + 7) >> 3;
+- data = (Guchar *)gmalloc(h * line);
+
-+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ error(-1, "invalid width/height");
+ data = NULL;
+ return;
+ }
+
- data = (Guchar *)gmalloc(h * line);
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)gmalloc(h * line + 1);
++ data[h * line] = 0;
}
-@@ -986,6 +994,13 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
+@@ -986,8 +996,17 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
+- data = (Guchar *)gmalloc(h * line);
+
-+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ error(-1, "invalid width/height");
+ data = NULL;
+ return;
+ }
+
- data = (Guchar *)gmalloc(h * line);
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)gmalloc(h * line + 1);
memcpy(data, bitmap->data, h * line);
++ data[h * line] = 0;
}
-@@ -1012,7 +1027,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
+
+ JBIG2Bitmap::~JBIG2Bitmap() {
+@@ -1012,10 +1031,14 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
- if (newH <= h) {
-+ if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
++ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1)/ line) {
+ error(-1, "invalid width/height");
+ gfree(data);
+ data = NULL;
return;
}
- data = (Guchar *)grealloc(data, newH * line);
-@@ -2505,6 +2523,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
+- data = (Guchar *)grealloc(data, newH * line);
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)grealloc(data, newH * line + 1);
+ if (pixel) {
+ memset(data + h * line, 0xff, (newH - h) * line);
+ } else {
+@@ -2505,6 +2528,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
@@ -218,7 +231,7 @@
patternDict = (JBIG2PatternDict *)seg;
bpp = 0;
i = 1;
-@@ -3078,6 +3105,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
+@@ -3078,6 +3110,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
Guint ltpCX, cx, cx0, cx2, cx3, cx4, tpgrCX0, tpgrCX1, tpgrCX2;
int x, y, pix;
Index: tetex.spec
===================================================================
RCS file: /cvs/dist/rpms/tetex/FC-3/tetex.spec,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- tetex.spec 19 Dec 2005 10:25:22 -0000 1.52
+++ tetex.spec 11 Jan 2006 15:14:51 -0000 1.53
@@ -9,7 +9,7 @@
Summary: The TeX text formatting system.
Name: tetex
Version: 2.0.2
-Release: 21.6
+Release: 21.7.FC3
License: distributable
Group: Applications/Publishing
Requires: tmpwatch, dialog, ed
@@ -892,6 +892,10 @@
%defattr(-,root,root)
%changelog
+* Wed Jan 11 2006 Jindrich Novy <jnovy at redhat.com> 2.0.2-21.7.FC3
+- apply additional patch to fix xpdf flaws from Ludwig Nussel
+ (CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193) (#177128)
+
* Mon Dec 19 2005 Jindrich Novy <jnovy at redhat.com> 2.0.2-21.6
- apply more complete fix for CVE-2005-3193 (#175110) suggested by
security response team, taken from xpdf
- Previous message (by thread): rpms/tetex/FC-4 tetex-3.0-CVE-2005-3193.patch, 1.2, 1.3 tetex-3.0-texdoc-defaults.patch, 1.1, 1.2 tetex-3.0-texmfcnf.patch, 1.1, 1.2 tetex.spec, 1.69, 1.70
- Next message (by thread): rpms/device-mapper/devel device-mapper-1.02.02-pkg-config.patch, NONE, 1.1 device-mapper-1.02.02-selinux.patch, NONE, 1.1 device-mapper.spec, 1.24, 1.25 device-mapper-selinux.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list